You’re not alone if you don’t have a formal insider threat program. Over 50% of organizations allocated no budget for an insider threat program, and 90% of those with no budget were small and medium businesses (SMBs). Unfortunately, in this instance, there’s no strength in numbers.
The stakes are higher than you may think
Insider threat, whether by malicious or well-intentioned employees, opens doors for external attackers. One-click from a phishing email could be the entry point for an attacker to infiltrate your network.
Since cyber risk is inherent, you may think, “I’m a small fry, it won’t happen to me.” Maybe, but the FBI’s cyber division received complaints totaling almost $7 billion of losses, most of which were those of SMBs. Why aren’t the attackers going after the whales? The whales have fortified themselves with effective insider threat programs, so attackers have moved on to a new technique: casting wide nets to catch tons of fish.
Let’s say your business is one of those fish. How bad is the damage, really? Turns out pretty bad: 60% of SMBs fail within 6-12 months after disclosing a breach. If you can’t afford the loss from a data breach, where ransomware shuts down your operations through a domino effect to failure, it’s time to seriously consider an insider threat program.
The case for a formal program
When the stakes are this high, winging it won’t do. Here’s how a formal insider threat program can make your investment worthwhile.
1 – Risk identification
A formal program will help you identify your biggest areas of vulnerability and prioritize solutions based on your needs. In an area like insider threat security, where you have a myriad of options—access control systems, multi-factor authentication (MFA), patch management, and data loss prevention (DLP), to name a few—spending some time upfront will help you understand your attack surface and which solutions will have the most impact in reducing it.
As Carnegie Mellon University’s Software Engineering Institute states, an insider threat program aims to “prevent, detect, and respond to insider threats to the organization’s critical assets, both reactively and proactively.” A formal program will help you understand and manage your risks while maintaining business operations.
2 – Preparation for crisis
Every second can make a difference when a cyber attack freezes your operations. Ransomware, for example, is a popular type of malware where attackers render your files unusable (e.g., locked via encryption) and demand payment to provide you access again. You may shut down your operations to prevent the malware from spreading, and the cost of disruption is a significant variable to weigh. In 2021, Colonial Pipeline notified the FBI within hours and paid $5 million in ransom just a day later to minimize further disruption in critical gas infrastructure across regions of the US.
SMBs can follow a similar blueprint for incident response. Take it from the Ransomware Task Force (RTF), a cross-sector organization of 60+ experts from industry, government, academia, and nonprofits based in the US. In their Blueprint for Ransomware Defense, the RTF emphasizes that SMBs must establish an incident response plan that includes what logs should be collected, who to report to, what should be included in a report, and who is authorized to respond to something like ransom. An outlined plan will help an organization determine the attack vector, provide a way forward to continued business, and prevent a similar attack from happening again.
3 – Regulatory compliance
Depending on your business type and the geographic areas you serve, your business may be subject to legal requirements regarding customer data. The General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPAA) in the United States are all examples of regulations that dictate how businesses should handle the personal data of customers.
How does this relate to insider threat? Of insider threat incidents, over 40% involve customer data; this could be a well-intentioned insider who uploads customer data to external sites to make their workflow efficient or a target of a malicious insider looking to leak or steal information. By identifying the data at risk, standardizing access control, and training your staff on how and when to use this data, an insider threat program can help you safeguard your customers’ data and meet legal requirements.
4 – Threat reduction via education
An effective insider threat program will help solidify cyber-aware habits through a sincere and deliberate change in culture that will pay it forward in your cybersecurity defense. To ensure insider threat training is “more than just a slide deck,” track the effect of your training over time. For example, you could deploy fake phishing emails across your organization and measure how many employees click on them over time.
In addition to training your staff on best practices, your staff can help identify people who may turn from well-intentioned to malicious well before technology can. Someone who may be under high stress for personal reasons, or deeply unsatisfied with the company may be at risk as a future insider threat. You can empower your workforce to take note of these individuals while creating a culture of empathy vs. Big Brother.
You can get started today
SMBs are wary of formal programs for similar reasons: lack of expertise, time, funding, or all of the above. Your CIO might be wearing multiple hats, or your budget already stretched then.
Fear not—if all this sounds like an impossible task, it doesn’t have to be. Instead of starting from scratch, you can get started with the advice of the U.S. Government’s Cybersecurity and Infrastructure Security Agency: MFA, patch, backup, plan. This SMB-specific advice recommends solutions with the highest impact first and provides a path forward for future iteration.
An organization that hasn’t prioritized insider threat security needs a driver for change. Maybe that’s you or a team you’ve recruited. Either way, when the survival of your business is at stake, it’s time for a change. If you want to move from reactive to proactive—it’s time for an insider threat program.
